Cyber insurance is big business these days. With the ever-present danger of data breaches and cyber attacks, organisations must be sure that they have the financial backing to respond appropriately.
Damages incurred by information security incidents generally aren’t covered in commercial insurance policies, so a specific policy is necessary to help cover the costs of things like forensic investigation, incident response and notification procedures.
A cyber insurance policy doesn’t necessarily guarantee that you will receive aid following a data breach. Most policies include provisions requiring organisations to follow certain information security best practices.
The most common reasons that insurers reject cyber insurance claims are organisations’ failure to
1. Conduct regular vulnerability scans
Vulnerability scans are automated tests that identify weaknesses in systems and applications.
There are a variety of off-the-shelf tools you can use to conduct vulnerability scans, each of which runs a series of ‘if–then’ scenarios that uncover known vulnerabilities.
A completed scan will provide a logged summary of alerts for your organisation to act on.
Vulnerability scanning is often paired with penetration testing, which is essentially a more in-depth analysis performed by a person. Another key difference is that penetration tests not only identify weaknesses but also show how they could be exploited.
By performing both tests regularly, organisations can clearly see how likely it is that a cyber criminal will compromise their data. If the threat is low, the insurer will be satisfied that the organisation’s systems are unlikely to be breached.
2. Document an incident response plan
The quicker you can respond to a security incident, the less severe the damage will be. That’s why you should have an incident response plan ready to go, so you can get straight to remediation without having to work out what needs to be done.
Cyber insurers generally want to know how you will mitigate the immediate financial costs (i.e. how you will prevent further damage and get back to work) and how you will manage in the long term (i.e. notifying regulators and helping affected customers).
3. Protect data in transit
Data is always on the move, whether it’s being sent to a third party, uploaded to the Cloud or stored on portable devices like laptops and USBs.
Transferring data always involves risks. The information is no longer protected by your network defences and can easily be compromised. For example, laptops can be stolen, documents can be misplaced and email accounts can be compromised.
You must therefore determine the risks associated with the method of transit and apply appropriate controls. For example, digital information should be encrypted where possible, and organisations should create strict policies on the use of laptops and removable devices.
4. Inspect the security practices of third parties
When you share information with third parties or use their services, you also share the risk, as a vulnerability in their systems could cause you to suffer a data breach.
That’s why you must take the time to investigate the security practices of any organisation you intend to work with.
Don’t assume that they take compliance seriously, and don’t work with them if they can’t demonstrate adequate controls.
Some organisations require that third parties certify to ISO 27001, the international standard for information security, to demonstrate their commitment to effective defences.
5. Perform staff awareness training
The human factor is one of the most overlooked aspects of information security. Employees will inevitably make mistakes, so they always run the risk of compromising sensitive information.
These things happen, but it’s an organisation’s responsibility to ensure they are as infrequent as possible. Staff awareness training helps employees understand the risks they introduce and why they need to remain vigilant.
Win the war against cyber crime
Discover how you can secure your organisation from these risks by enlisting in Operation Cyber Secure.
This five-week boot camp drills you on the essential steps you must take to prevent cyber attacks and data breaches.
Those who sign up will receive a free copy of the Cyber Security Combat Plan, which outlines the defences measures you should take to protect your organisation from cyber attacks.
You’ll also receive weekly emails that provide more information on how to take those steps and measures.